Enterprise Risk Management (ERM)

Unlocking success: the crucial role of business analysts in the risk management world.

By Gaurav Parihar, Yash Hariyani, and Harsha Amanaganti

Organizations exist to generate value for their stakeholders. In turn, value is produced by establishing goals, creating strategies, carrying them out, and continuously improving procedures. At least, that’s the ideal scenario. But in the real world, with growing complexities, making a plan and following through on it can be challenging. There is always a chance that certain things could make these plans fail. Management must make sufficient preparations to guarantee that systems are in place to keep achieving goals even when the beast of unforeseen circumstances rears its head.

“The riskiest of all risks is the unidentified risk!”
Many a project manager

These uncertainties can be directly addressed using Enterprise Risk Management (ERM), which enables management to oversee the continuous production of value on a comprehensive, integrated, and organizational level.

Introduction to and basics of Enterprise Risk management (ERM)

ERM is a process management technique that aims to recognize, comprehend, and prepare for threats, hazards, and other potential departure from SOPs that might be viewed as risks.
Construction, banking, aviation, healthcare, energy, and marketing are just a few sectors that use ERM.

The question the ERM practitioners try to address
is: “What are the major risks that could stop us from achieving the
mission?”

The Committee of Sponsoring Organizations of the Treadway Commission (COSO), from Enterprise Risk Management — Integrating with Strategy and Performance, defines ERM as “The culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value.”

Corporate risk management entails not only detecting risks but also planning how to handle them and allocating priority among several active or potential risks.

Shareholders, stakeholders, investors, and other relevant interested parties should all have clear, direct access to plans, policies, and procedures for risk management as part of documented information or regular reports.

More recently, risk management resembles a business process management framework as standards have become more defined and widely used. That is to say, ERM systems will typically place a greater emphasis on internal process control, continuous improvement principles, internal audits, and standard compliance to minimize controlled risk as much as possible. They will also typically set up preventative measures for risks and hazards that fall outside the purview of internal process control.

Core areas

Risk management covers four core areas:

1. Hazard Risk Management: Risk Managers try to identify the exposures of risks along with their severity and frequency by focusing on preventive and crisis risk management.
2. Internal Control: These are the necessary processes that organizations make to ensure that all controls and processes are being followed. Highly regulated large organizations tend to have very robust and expansive systems of internal control.
3. Internal Audits: These are the processes used to ensure that the internal processes are up to the mark and function properly. These audits compare the documented policies to the organization's actual implementation of risk control. At the end of an audit, a report is prepared, which basically contains the findings and recommendations based on the weaknesses identified in the system.
4. Regulatory Compliance: Every company needs to follow some rules and regulations related to different fields of work in which the company is involved. Regulatory compliance is the area of enterprise risk management that ensures that these rules and regulations are correctly followed.

The ERM Process

The ERM Process has five steps, as shown in the image below:

Risk Management steps

• Setting objectives
  ERM alone doesn’t realize business objectives; the fruits of the ERM program are extremely important for strategizing to achieve and exceed these business objectives for any organization.
  Using an ERM framework ensures that a business has its objectives aligned with its mission, vision, and core values.
• Identify risks
  All risks should be clearly identified, defined, and well-documented. Systematically assessing each area of business operation is imperative to identify and define risks clearly.
• Assess risks
  Once we have adequately documented all the significant risks, an assessment of their likelihood and estimated significance using qualitative approaches like the prioritization matrix to more in-depth mathematical models. This task aims to help management determine which risks deserve the most immediate attention.
• Risk response
  This basically details plans to respond to the high-priority risks. Risk response falls into four categories- Avoidance, Reduction, Sharing, and Acceptance.
• Risk monitoring
  To determine the significance they represent, risks need to be monitored carefully. Organizations need proper systems to monitor and respond to changes in circumstances and adequately determine if identified risks still pose a threat.

Role of business analysts in ERM

As a part of the elicitation effort, Business Analysts typically identify the risks by asking what-if questions to the stakeholders. In an enterprise, the Business Analysts plan for risks to ensure that when negative things happen, the enterprise is ready to mitigate them.

Below are the few roles and responsibilities of Business Analysts in ERM:

• Identifying and analyzing qualitative/quantitative factors contributing to the risks.
• Setting up Risk Libraries as per the data and guiding the team.
• Setting up and customizing the formulas using the factors for Inherent /Residual Risk.
• Keeping an eye on platform-level upgrades at the enterprise and product levels.
• Having a proper understanding of the Risk Frameworks being used.
• Explaining and analyzing the Risk treatments / Mitigations / Strategies.
• Suggesting process improvements.

Conclusion

With the continuously evolving global business environment, the complexity and number of risks affecting an enterprise are increasing rapidly, as are the expectations for more effective risk oversight.

Hence Enterprise Risk Management(ERM) is becoming a widely embraced business paradigm for accomplishing more effective risk management and is of utmost importance to be considered in planning.

Business Analysts play a crucial role right from risk identification to devising a proper risk management plan and hence it is crucial for them to understand all aspects of ERM.